Internal DNS for email server resolving to reverse lookup in public DNS

=> Users are connecting internal (inside the network and behind the firewall).
=> Using Outlook 2007
=> Outlook shows "trying to connect"
=> If I ping the email server on the DNS servers they resolve to the correct internal host record.

If I do a ipconfig /flushdns on the client, and then try to ping the mail server it finds the correct host name.

So, your clients are caching wrong information - now, point is how did they get the wrong DNS entry resolved.

Are these users laptop users by any chance?

Regards,
Exchange_Geek

Yes, but not all the laptops are affected.  There are some desktops that have this issue too...

My understanding is if laptop connect externally in non-production hours, chances are that they might be connecting to their local ISP and getting IP of exchange from outside - i.e. your external facing IP.

Your desktop if also are facing this issue - I'd say monitor and check if your DNS is sending out wrong responses. Possibly check if your forwarder OR client machine is set to external ISP DNS entries.

Regards,
Exchange_Geek

Yeah, I thought of that too...Made sure wireless was disabled and not connecting to the guest network (that is separate from internal network).  No entries in local host files.  Could problems with AD cause this?  It's almost like their internal requeste for DNS resolution is being sent to the DNS forwarders instead of being resolved internally.  Could problems with AD be causing this?

I gues more of DNS as its trying to send the requests to "Route hint servers" (Public DNS server) .......... Check DNS and see if communication over port 53 is working for DNS servers and you can do a NSLOOKUP and TRACERT to your DNS\DC or Exchange servers

- Rancy

When I do a tracert for the email server, it resolves to the public IP and then tries to go out the firewall...Very strange.  Every other DNS resolution internally works.

WOW ...... now thats strnage

OK do this check with tracert for DC|DNS and other application servers (MOC\BB whatever your have) ........ once you have a route just check where is the change or query differentiating :)

As thats one good route could be some Router or other issue that i suspect ..... be fast if you have query .... will be moving out in 20 mins :)

- Rancy

Not sure if I follow...You want me to do a tracert from the machine getting the bad record to a few of the DC's/DNS servers?

No do a tracert to other servers as you say the query goes to them so a route is set ..... now when you do a tracert to Exchange at some point or IP the query goes to DNS server ...... now catch the IP just before the query goes to Public DNS server ..... possibly the issue resides there :)

- Rancy

Tracert would not help much, cause it would show you the path which *may* not be helpful to understand WHY these servers are not picking up the correct DNS entries.

What I'd suggest is to understand if there is a local A record on the DNS box that points to external IP of the Mail Server.

Also, check if these client boxes have external DNS set up on their NIC Cards - confirm this please.

To answer your question - NO AD will not be the culprit here, since AD too depends on DNS for its name resolution.

Your local DNS needs to have Mail Server registered on it and it should work and respond to queries to clients with IP of Mail Server. If this is not happening as i suggested earlier - this is more of a client-box issue, either they are talking to external DNS Servers (via NIC Card settings) OR WAN Card Issue (as Rancy suggested) OR host file entries.

Let us hope to clear our doubts and get this mystery solved.

Regards,
Exchange_Geek

I checked on the DNS servers and there is no local A record.  I even looked a their hosts file but nothing there either.  

The clients don't have external DNS setup on their NICs.  They get IP and DNS settings via DHCP.

Do we have proper DNS records for the Exchange server and we are able to do a sucessful Nsloopup from the Exchange server ??

- Rancy

Yes, it's very strange.  Yesterday throughout the day I had multiple people not be able to connect to Outlook because they were resolving the Public IP.  Today, not one...So the DNS settings for the Exchange server do work...

By any chance are these users using RPC over HTTP?

Regards,
Exchange_Geek

I would agree to Tushars comment and see if they are working with Outlook Anywhere .....

- Rancy

No, using Outlook profile for internal connectivity (not rpc over http).

Is the issue happening for users on a particular site ??
How are you sure that the Outlook works on internal connectivity and not RPC over HTTPS ..... do you mean its not configured ?? When the users face this issue anything noted with Network or on CAS servers ?

- Rancy

No, happens at both our sites.  

Yes, I meant that RPC over HTTP isn't configured in their outlook profile.  One thing I noticed yesterday was that when they couldn't ping the email server, they also couldn't ping a few other internal servers (couldn't find the host name).  It's as if the request to the DNS server didn't even attempt to resolve it locally and sent the request sent straight to the DNS forwarder.

Makes me now doubt of capabilities of your DNS box.

I'm starting to think on the lines, where you possibly need to promote another box as DNS Server.

Your current box isn't being of much help, so definitely need to start looking for an alternate box that can help you serve basic DNS functionality. I am hoping that you have DNS as AD-Integrated server. So, you can modify the scope of DHCP to include both DNS Servers to solve your issue.

BTW - can you confirm that there is no server added in DNS Forwarders tab - please.

Regards,
Exchange_Geek

If the issue is happening again and again i would like to understand if there is time or day patter or something ..... if not than suggestion from Exchange_Geek asking for a second DNS box doesnt makes much of sense to me as its going to add additional cost and administration.

- Rancy

Addition of second DNS server is for two reasons -

1) If the second DNS server works and resolves the issue, this can lead to phasing out the first DNS box
2) If introduction of second DNS server serves the purpose, it can be sustained as a backup DNS server in case the first one fails/crashes.

Regards,
Exchange_Geek

I have two sites and two DNS servers at each site (yes they are AD integrated).  Saw issues at both sites - although yesterday and today haven't seen a single problem.  I do have our ISP's DNS in the DNS forwaders of our DNS servers.  I thought I had to have those in for the DNS servers to resolve external DNS request for our internal clients...

Saw a similar issue recently where the problem was caused by the firewall on the DNS server, and so somehow the public IP was being returned instead of the internal IP.  Worth checking...

Would Win 7 adapter settings (Public/Home/Work) have anything to do with this?  Just curious...Firewall not enabled on the DNS servers...

You aren't supposed to have forwarders set for ISP DNS, please please please remove it. Root hints is supposed to solve your queries not forwarders.

That is the culprit for you.

Regards,
Exchange_Geek

@footech: Forwarders are normally used if you want another server in your DMZ OR ISP to hold a stub zone, so basically if your DNS isn't equipped to work towards resolving your query - there would be another server to accept queries basis the name server list of the stub zone. This is what is basically seen in big environments owning 15-20 DNS Servers. Root Hints is provided to get the basic recursive query answered.

Yes, forwarder and root hints can be used as inter-changeable, but industry standard for working on DNS - forwarders should be avoided. Yes it can be used, but not recommended.

Theory isn't always seen in practical world - guess, you agree on that.

Regards,
Exchange_Geek

footech: As i said earlier if this was a single instance you can simply look at event logs on the DNS server and check for any issues at that time on the server ...... if its happening again and again we can have more effort into this.

- Rancy

@Exchange_Geek - I've never heard that distinction made before.  Though to be honest I work on smaller deployments (not more than 4 DNS servers).  On SBS for example it is the standard configuration which is set by the wizards.

@Rancy - I think your comment is directed at the OP.

This issues seems to have resolved itself...

Wow that strange but good if you arent in issue ..... so i guess we can close this off

-Rancy

"Happy Christmas and New year :)"

Yeah, it was a strange issue to begin with.  But it just went away and it hasn't been an issue in months.  Yes, you can close it.  Thx.

Sorry to say but you can only close it with choosing a solution or multiple as you think helped you

- Rancy

vianceadmin: Can you close the post marking the "Solution or Multiple solutions" to the post